Breaking down the walls between IT and physical security

March 28, 2016
Connected Security Expo keynote speakers say organizational silos are no longer acceptable

As physical security solutions continue to make the migration from analog to IP at an ever increasing pace, the lines between the physical security and IT security worlds have also begun to blur. With enhanced capabilities that come with deploying video surveillance, access control and other systems on the network also comes increased risk in the form of cyber-attacks.  As the proliferation of IP-enabled devices increases, more IT professionals are now charged with overseeing the implementation of these technologies within their organizations and thus have more power when it comes to security purchasing decisions.       

Next week in Las Vegas, the inaugural Connected Security Expo will take place in conjunction with ISC West looking to shine a light on how the security industry has and continues to be reshaped by convergence and will bring together both physical and cyber security professionals to discuss the threats facing the industry. Among the conference’s keynote speakers include Herb Kelsey, chief architect at Guardtime, and Matthew Rosenquist, cyber security strategist for Intel. Kelsey has spent the bulk of his career working for large-scale enterprises, such as IBM, and has also designed and built cybersecurity programs for the federal government. Rosenquist started his career in security on the physical side conducting audits and investigations before moving into cybersecurity at Intel where he introduced and led the company’s first CERT (computer emergency response team) unit and now serves as their cybersecurity futurist.

With the Internet of Things (IoT) taking hold in physical security as more and more devices are given IP addresses, Kelsey believes the industry has opened itself up to a broader range of vulnerabilities and also introduced more access points that hackers can leverage to obtain an organization’s intellectual property.   

“It’s not clear as an industry – whether it’s the IT security side or the physical security side – that they really understand the implications of that,” said Kelsey.

Rosenquist echoed Kelsey’s sentiments and said that looking at the trajectory the industry is on; it’s inevitable that physical and logical security have to merge.

“As companies embrace technology to be able to better serve customers, to better connect with new customers in new markets, to optimize and compete within their marketspace, they are using new technologies that are tremendous tools, but as a part of that, these technologies are connecting to critical resources, assets and capabilities. That then opens them up to a certain number of risks,” explained Rosenquist. “For the most part, companies don’t even understand what the scope of those risks is or how to address it.”

According to Kelsey, one of the systemic problems is that each side  – physical security and cybersecurity – has been seen as less important by the other and the biggest consequence for that way thinking is increased security exposure for organizations.

“Both of these communities have a preconception that they are independent from each other and its comfortable thinking that way but it’s really not true,” said Rosenquist. “A lot of cybersecurity folks grew up in the technology space and they look at it as a technology problem and that it can be solved with technology. In reality, it’s only half. Cybersecurity is half technology and it’s half behavioral.  On the flip side, physical security has always looked at the threat to be a person and approached it from that perspective. When you step back, there is this convergence that’s coming between looking at threats purely from a behavioral perspective versus a technology perspective. Both parties need to understand there are shortcomings in their view and that they really have the same objectives – protecting assets and preventing or reducing the amount of loss an organization experiences – and that the playing field is merging.”

In their ambition to realize all of the benefits that connected technology provides, Kelsey believes there has been “blindness” on the part of organizations and even security professionals when it comes to attaching mission critical systems to the Internet.

“The Internet that we see today and the Internet that we attach these devices to has to be two different things and nobody is really interested in that. It’s convenient to ignore the problem and make a lot of money,” added Kelsey.

For a long time, according to Rosenquist, end users didn’t really feel a lot of pain when it came to data breach. He said that many companies had the attitude that their insurance companies would cover the losses and that consumers knew a retailer or bank would pick up the tab for bogus debit or credit card charges. However, with the evolution of smart cars and other connected systems in the transit space, cybersecurity vulnerabilities are quickly transforming into life safety issues.

“We love self-parking cars. If you need to parallel park, you hit a button and the car parks you. It’s a wonderful feature, but what a lot of people don’t understand is the computer inside the car has to have control of your acceleration, you’re steering and you’re braking,” said Rosenquist. “Now do you really want a bad guy, when you’re traveling down the highway, to be able to tap into that and have control of your car? That is a life safety issue and as we eventually start seeing that this year and next,  now you get that tipping point of where, “Wait a second, that’s a pain I don’t want to experience. It’s real to me, it’s real to my family and it’s not acceptable.’ We’re going to see a change. We have to.”

Given the threats organizations face today, Rosenquist believes that physical and IT security need to find common ground upon which they can both work together more efficiently to improve the overall security posture of the businesses for which they work.

“Anytime you’ve got physical and cyber in the same room, in most of the instances I’ve seen, they want to call out the differences and they want to keep their own kingdoms. The reality is the executives and the stockholders are expecting them to accomplish the same goals, just in different fields and those fields are merging,” said Rosenquist.

“What I’m starting to see is the budgets are merging,” Kelsey said. “A lot of the fighting within organizations is because they perceive they’re fighting for the same budget dollar, but as you merge those budgets… those walls start to come down. I think if you push the money together, you end up getting better results.”